On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote: > > Got it. One thing I would correct, though, -- don't use kadmin.local, we > do support setting ok_as_delegate on the service principals via IPA CLI: > $ ipa service-mod --help |grep -A1 ok-as-delegate > --ok-as-delegate=BOOL > Client credentials may be delegated to the service
I've tried ipa service-mod --ok-as-delegate=True HTTP/$(hostname) but that does not seem to have the same effect as modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test -- obtaining the delegated certificated fails. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code